What is the best method to get rid of a pattern in multiple php files? [on hold]

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
0
down vote

favorite












Working on infected website with hundreds of php files with the following injected signature code in the top of each file:



<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>


followed by adjacent <?php part which has legitimate php code. In other words, the injected code is not on a separate line.



I composed the following code to get rid of the injected code:



grep -Rl 457563643457563643 . | xargs sed -i 's/<[?]php.*457563643457563643.*[?]>/<?php // RECOVERED FILE ?>/g'


which works fine, but unfortunately it also deletes the legitimate php tag that comes just after the injected code.



What would be the best method to get rid of exactly the following part injected in the top of each file:



<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>






share|improve this question











put on hold as unclear what you're asking by Thomas Dickey, Sparhawk, Jeff Schaller, G-Man, Thomas yesterday


Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.










  • 1




    Please provide your expected output. Are you trying to remove just the first <?php /*457563643457563643*/ ?>? Is this string always the same? (i.e. why use .* in your regex?)
    – Sparhawk
    2 days ago
















up vote
0
down vote

favorite












Working on infected website with hundreds of php files with the following injected signature code in the top of each file:



<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>


followed by adjacent <?php part which has legitimate php code. In other words, the injected code is not on a separate line.



I composed the following code to get rid of the injected code:



grep -Rl 457563643457563643 . | xargs sed -i 's/<[?]php.*457563643457563643.*[?]>/<?php // RECOVERED FILE ?>/g'


which works fine, but unfortunately it also deletes the legitimate php tag that comes just after the injected code.



What would be the best method to get rid of exactly the following part injected in the top of each file:



<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>






share|improve this question











put on hold as unclear what you're asking by Thomas Dickey, Sparhawk, Jeff Schaller, G-Man, Thomas yesterday


Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.










  • 1




    Please provide your expected output. Are you trying to remove just the first <?php /*457563643457563643*/ ?>? Is this string always the same? (i.e. why use .* in your regex?)
    – Sparhawk
    2 days ago












up vote
0
down vote

favorite









up vote
0
down vote

favorite











Working on infected website with hundreds of php files with the following injected signature code in the top of each file:



<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>


followed by adjacent <?php part which has legitimate php code. In other words, the injected code is not on a separate line.



I composed the following code to get rid of the injected code:



grep -Rl 457563643457563643 . | xargs sed -i 's/<[?]php.*457563643457563643.*[?]>/<?php // RECOVERED FILE ?>/g'


which works fine, but unfortunately it also deletes the legitimate php tag that comes just after the injected code.



What would be the best method to get rid of exactly the following part injected in the top of each file:



<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>






share|improve this question











Working on infected website with hundreds of php files with the following injected signature code in the top of each file:



<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>


followed by adjacent <?php part which has legitimate php code. In other words, the injected code is not on a separate line.



I composed the following code to get rid of the injected code:



grep -Rl 457563643457563643 . | xargs sed -i 's/<[?]php.*457563643457563643.*[?]>/<?php // RECOVERED FILE ?>/g'


which works fine, but unfortunately it also deletes the legitimate php tag that comes just after the injected code.



What would be the best method to get rid of exactly the following part injected in the top of each file:



<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>








share|improve this question










share|improve this question




share|improve this question









asked 2 days ago









Nick

31




31




put on hold as unclear what you're asking by Thomas Dickey, Sparhawk, Jeff Schaller, G-Man, Thomas yesterday


Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.






put on hold as unclear what you're asking by Thomas Dickey, Sparhawk, Jeff Schaller, G-Man, Thomas yesterday


Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.









  • 1




    Please provide your expected output. Are you trying to remove just the first <?php /*457563643457563643*/ ?>? Is this string always the same? (i.e. why use .* in your regex?)
    – Sparhawk
    2 days ago












  • 1




    Please provide your expected output. Are you trying to remove just the first <?php /*457563643457563643*/ ?>? Is this string always the same? (i.e. why use .* in your regex?)
    – Sparhawk
    2 days ago







1




1




Please provide your expected output. Are you trying to remove just the first <?php /*457563643457563643*/ ?>? Is this string always the same? (i.e. why use .* in your regex?)
– Sparhawk
2 days ago




Please provide your expected output. Are you trying to remove just the first <?php /*457563643457563643*/ ?>? Is this string always the same? (i.e. why use .* in your regex?)
– Sparhawk
2 days ago










1 Answer
1






active

oldest

votes

















up vote
2
down vote



accepted










The best method is to go to one of your backups from before the intrusion and start from there. It sounds like you want a non-best way. You can use sed to do that.



Using sed, the most straightforward way to remove an exact block of text on a single line is just to use the s command to remove it explicitly:



sed -e 's!<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!'


This just replaces the exact string you quoted with nothing – it's necessary to escape * metacharacter each time, but otherwise this is directly using s!pattern!replacement! in the usual manner.




I would use find -exec (better, -execdir if you've got it) instead of piping xargs, especially if I had a directory tree I couldn't trust. There could be filenames with all sorts of things in them, notably newlines, that might lead to executing commands you don't like. For this particular sed command line it's unlikely to be an actual problem, but I wouldn't count it out.



You can run the grep inside the find command and only act on the file if it matches, or just let sed handle it anyway - if the pattern doesn't match the file will be the same afterwards anyway.




Regardless, I'd still advise caution – these markers aren't the harmful part of things and the bits that are may not be so obvious.



See also: How do I deal with a compromised server?






share|improve this answer























  • Thanks for the suggestions. The grep -Rl 457563643457563643 . commands is just fine to get list of infected files. However, running the grep -Rl 457563643457563643 . | xargs sed -i 's!<?php /*457563643457563643*/ ?><?php /*546754365467543636*/ ?.<?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!' didn't have any effect.
    – Nick
    2 days ago










  • After trying different ways this one finally worked: grep -Rl 457563643457563643 . | xargs sed -i 's!<[?]php.*457563643457563643*.*[?]>!!' Still I accept your answer, thanks!
    – Nick
    2 days ago










  • Unfortunately, the way I found strips extra tags that follow the injected pattern, so I am still in search for the right answer. The answer suggested simply does not work.
    – Nick
    yesterday










  • It looks like there were a couple of digits repeated in the command originally, but they're gone now and it works for me.
    – Michael Homer
    yesterday










  • So it works if you don't escape question marks as you initially suggested. Thanks a lot!
    – Nick
    yesterday


















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
2
down vote



accepted










The best method is to go to one of your backups from before the intrusion and start from there. It sounds like you want a non-best way. You can use sed to do that.



Using sed, the most straightforward way to remove an exact block of text on a single line is just to use the s command to remove it explicitly:



sed -e 's!<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!'


This just replaces the exact string you quoted with nothing – it's necessary to escape * metacharacter each time, but otherwise this is directly using s!pattern!replacement! in the usual manner.




I would use find -exec (better, -execdir if you've got it) instead of piping xargs, especially if I had a directory tree I couldn't trust. There could be filenames with all sorts of things in them, notably newlines, that might lead to executing commands you don't like. For this particular sed command line it's unlikely to be an actual problem, but I wouldn't count it out.



You can run the grep inside the find command and only act on the file if it matches, or just let sed handle it anyway - if the pattern doesn't match the file will be the same afterwards anyway.




Regardless, I'd still advise caution – these markers aren't the harmful part of things and the bits that are may not be so obvious.



See also: How do I deal with a compromised server?






share|improve this answer























  • Thanks for the suggestions. The grep -Rl 457563643457563643 . commands is just fine to get list of infected files. However, running the grep -Rl 457563643457563643 . | xargs sed -i 's!<?php /*457563643457563643*/ ?><?php /*546754365467543636*/ ?.<?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!' didn't have any effect.
    – Nick
    2 days ago










  • After trying different ways this one finally worked: grep -Rl 457563643457563643 . | xargs sed -i 's!<[?]php.*457563643457563643*.*[?]>!!' Still I accept your answer, thanks!
    – Nick
    2 days ago










  • Unfortunately, the way I found strips extra tags that follow the injected pattern, so I am still in search for the right answer. The answer suggested simply does not work.
    – Nick
    yesterday










  • It looks like there were a couple of digits repeated in the command originally, but they're gone now and it works for me.
    – Michael Homer
    yesterday










  • So it works if you don't escape question marks as you initially suggested. Thanks a lot!
    – Nick
    yesterday















up vote
2
down vote



accepted










The best method is to go to one of your backups from before the intrusion and start from there. It sounds like you want a non-best way. You can use sed to do that.



Using sed, the most straightforward way to remove an exact block of text on a single line is just to use the s command to remove it explicitly:



sed -e 's!<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!'


This just replaces the exact string you quoted with nothing – it's necessary to escape * metacharacter each time, but otherwise this is directly using s!pattern!replacement! in the usual manner.




I would use find -exec (better, -execdir if you've got it) instead of piping xargs, especially if I had a directory tree I couldn't trust. There could be filenames with all sorts of things in them, notably newlines, that might lead to executing commands you don't like. For this particular sed command line it's unlikely to be an actual problem, but I wouldn't count it out.



You can run the grep inside the find command and only act on the file if it matches, or just let sed handle it anyway - if the pattern doesn't match the file will be the same afterwards anyway.




Regardless, I'd still advise caution – these markers aren't the harmful part of things and the bits that are may not be so obvious.



See also: How do I deal with a compromised server?






share|improve this answer























  • Thanks for the suggestions. The grep -Rl 457563643457563643 . commands is just fine to get list of infected files. However, running the grep -Rl 457563643457563643 . | xargs sed -i 's!<?php /*457563643457563643*/ ?><?php /*546754365467543636*/ ?.<?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!' didn't have any effect.
    – Nick
    2 days ago










  • After trying different ways this one finally worked: grep -Rl 457563643457563643 . | xargs sed -i 's!<[?]php.*457563643457563643*.*[?]>!!' Still I accept your answer, thanks!
    – Nick
    2 days ago










  • Unfortunately, the way I found strips extra tags that follow the injected pattern, so I am still in search for the right answer. The answer suggested simply does not work.
    – Nick
    yesterday










  • It looks like there were a couple of digits repeated in the command originally, but they're gone now and it works for me.
    – Michael Homer
    yesterday










  • So it works if you don't escape question marks as you initially suggested. Thanks a lot!
    – Nick
    yesterday













up vote
2
down vote



accepted







up vote
2
down vote



accepted






The best method is to go to one of your backups from before the intrusion and start from there. It sounds like you want a non-best way. You can use sed to do that.



Using sed, the most straightforward way to remove an exact block of text on a single line is just to use the s command to remove it explicitly:



sed -e 's!<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!'


This just replaces the exact string you quoted with nothing – it's necessary to escape * metacharacter each time, but otherwise this is directly using s!pattern!replacement! in the usual manner.




I would use find -exec (better, -execdir if you've got it) instead of piping xargs, especially if I had a directory tree I couldn't trust. There could be filenames with all sorts of things in them, notably newlines, that might lead to executing commands you don't like. For this particular sed command line it's unlikely to be an actual problem, but I wouldn't count it out.



You can run the grep inside the find command and only act on the file if it matches, or just let sed handle it anyway - if the pattern doesn't match the file will be the same afterwards anyway.




Regardless, I'd still advise caution – these markers aren't the harmful part of things and the bits that are may not be so obvious.



See also: How do I deal with a compromised server?






share|improve this answer















The best method is to go to one of your backups from before the intrusion and start from there. It sounds like you want a non-best way. You can use sed to do that.



Using sed, the most straightforward way to remove an exact block of text on a single line is just to use the s command to remove it explicitly:



sed -e 's!<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!'


This just replaces the exact string you quoted with nothing – it's necessary to escape * metacharacter each time, but otherwise this is directly using s!pattern!replacement! in the usual manner.




I would use find -exec (better, -execdir if you've got it) instead of piping xargs, especially if I had a directory tree I couldn't trust. There could be filenames with all sorts of things in them, notably newlines, that might lead to executing commands you don't like. For this particular sed command line it's unlikely to be an actual problem, but I wouldn't count it out.



You can run the grep inside the find command and only act on the file if it matches, or just let sed handle it anyway - if the pattern doesn't match the file will be the same afterwards anyway.




Regardless, I'd still advise caution – these markers aren't the harmful part of things and the bits that are may not be so obvious.



See also: How do I deal with a compromised server?







share|improve this answer















share|improve this answer



share|improve this answer








edited yesterday


























answered 2 days ago









Michael Homer

42.1k6107146




42.1k6107146











  • Thanks for the suggestions. The grep -Rl 457563643457563643 . commands is just fine to get list of infected files. However, running the grep -Rl 457563643457563643 . | xargs sed -i 's!<?php /*457563643457563643*/ ?><?php /*546754365467543636*/ ?.<?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!' didn't have any effect.
    – Nick
    2 days ago










  • After trying different ways this one finally worked: grep -Rl 457563643457563643 . | xargs sed -i 's!<[?]php.*457563643457563643*.*[?]>!!' Still I accept your answer, thanks!
    – Nick
    2 days ago










  • Unfortunately, the way I found strips extra tags that follow the injected pattern, so I am still in search for the right answer. The answer suggested simply does not work.
    – Nick
    yesterday










  • It looks like there were a couple of digits repeated in the command originally, but they're gone now and it works for me.
    – Michael Homer
    yesterday










  • So it works if you don't escape question marks as you initially suggested. Thanks a lot!
    – Nick
    yesterday

















  • Thanks for the suggestions. The grep -Rl 457563643457563643 . commands is just fine to get list of infected files. However, running the grep -Rl 457563643457563643 . | xargs sed -i 's!<?php /*457563643457563643*/ ?><?php /*546754365467543636*/ ?.<?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!' didn't have any effect.
    – Nick
    2 days ago










  • After trying different ways this one finally worked: grep -Rl 457563643457563643 . | xargs sed -i 's!<[?]php.*457563643457563643*.*[?]>!!' Still I accept your answer, thanks!
    – Nick
    2 days ago










  • Unfortunately, the way I found strips extra tags that follow the injected pattern, so I am still in search for the right answer. The answer suggested simply does not work.
    – Nick
    yesterday










  • It looks like there were a couple of digits repeated in the command originally, but they're gone now and it works for me.
    – Michael Homer
    yesterday










  • So it works if you don't escape question marks as you initially suggested. Thanks a lot!
    – Nick
    yesterday
















Thanks for the suggestions. The grep -Rl 457563643457563643 . commands is just fine to get list of infected files. However, running the grep -Rl 457563643457563643 . | xargs sed -i 's!<?php /*457563643457563643*/ ?><?php /*546754365467543636*/ ?.<?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!' didn't have any effect.
– Nick
2 days ago




Thanks for the suggestions. The grep -Rl 457563643457563643 . commands is just fine to get list of infected files. However, running the grep -Rl 457563643457563643 . | xargs sed -i 's!<?php /*457563643457563643*/ ?><?php /*546754365467543636*/ ?.<?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!' didn't have any effect.
– Nick
2 days ago












After trying different ways this one finally worked: grep -Rl 457563643457563643 . | xargs sed -i 's!<[?]php.*457563643457563643*.*[?]>!!' Still I accept your answer, thanks!
– Nick
2 days ago




After trying different ways this one finally worked: grep -Rl 457563643457563643 . | xargs sed -i 's!<[?]php.*457563643457563643*.*[?]>!!' Still I accept your answer, thanks!
– Nick
2 days ago












Unfortunately, the way I found strips extra tags that follow the injected pattern, so I am still in search for the right answer. The answer suggested simply does not work.
– Nick
yesterday




Unfortunately, the way I found strips extra tags that follow the injected pattern, so I am still in search for the right answer. The answer suggested simply does not work.
– Nick
yesterday












It looks like there were a couple of digits repeated in the command originally, but they're gone now and it works for me.
– Michael Homer
yesterday




It looks like there were a couple of digits repeated in the command originally, but they're gone now and it works for me.
– Michael Homer
yesterday












So it works if you don't escape question marks as you initially suggested. Thanks a lot!
– Nick
yesterday





So it works if you don't escape question marks as you initially suggested. Thanks a lot!
– Nick
yesterday



Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?